Browser Extension
The vaultctl browser extension lets you autofill credentials, generate passwords, and save new logins directly from your browser.
Supported Browsers
| Browser | Support | Install Method |
|---|---|---|
| Google Chrome | Full | Chrome Web Store or manual load |
| Chromium-based (Edge, Brave, Vivaldi, Arc) | Full | Chrome Web Store or manual load |
| Firefox | Full | Firefox Add-ons or manual load |
| Safari | Not yet supported | -- |
Installation
- Open the Chrome Web Store (or your Chromium browser's extension store).
- Search for vaultctl and click Add to Chrome.
- Click Add Extension in the confirmation dialog.
- The vaultctl icon appears in your browser toolbar.
First-Time Setup
Click the extension icon
Click the vaultctl icon in your browser toolbar.
Enter your server URL
Type the URL of your vaultctl instance (e.g., https://vault.example.com). This is the same URL you use to access the web vault.
Log in
Enter your email and master password. If you have 2FA enabled, enter the TOTP code when prompted. Tick Remember me on this device to prefill your email next time and go straight to the master-password step.
Done
The extension is connected. Your vault syncs automatically.
Autofill
When you open a page with a login form, the extension matches the page's host against the URIs of your login items (exact host or a parent/sub-domain).
Inline field icon
If a stored login matches, a small teal vaultctl icon appears inside the username and password fields. Click it to fill the form. When more than one login matches the page, the icon opens a short list so you can pick the right account; choosing one fills it.
Autofill on load
With Autofill on page load enabled (Settings, off by default), the first matching login is filled automatically as soon as the page loads, with no click. Leave it off if you prefer to fill explicitly via the field icon.
Click to Fill from the popup
For forms that are not detected, open the extension popup, find the login, and use its copy/fill actions.
Matching and decryption happen inside the extension's background worker. A credential's password is only sent into the page at the moment you fill it, never preemptively.
Saving and updating logins
After you submit a login or signup form, the extension compares what you entered against your vault and offers a non-blocking toast in the corner. It never blocks the page, and it slides away on its own after a configurable timeout if you ignore it.
- New login -- if nothing in your vault matches the site, the toast offers to Save it as a new item.
- Changed password -- if an item matches the site and username but the password differs, the toast offers to Update the stored password.
- Already saved -- if the exact username and password are already stored, nothing is shown.
Saving and updating encrypt the item in the extension (the same client-side encryption as the web app) before sending it to your server.
Strong password suggestions
On signup and change-password forms, the extension can suggest a strong, generated password. When you focus a new-password field (detected via autocomplete="new-password", field names like "new"/"confirm"/"register", or a form with two password fields), a small suggestion appears with a generated password.
- Use password fills it, and any confirm-password field in the same form, in one click.
- Regenerate produces a different one.
- The password is generated with the settings from the Generator tab (length and character classes).
This is skipped on plain sign-in fields (where a stored login already matches), so it only appears when you actually need a new password.
Generated-password history
The Generator tab keeps a short list of passwords you recently copied or filled, so you can grab one again if a form didn't save. This history lives only in memory and is wiped when the vault locks - it is never written to disk. Two controls in the Generator tab tune it:
- Keep - how many recent passwords to retain (default 5).
- Expire - how long each entry stays before it drops off (15m / 1h / 4h / 24h).
Alerts (captured logins)
When you submit a login the extension didn't manage to save inline, it queues the credential as an alert so you can deal with it later. Alerts live in the Alerts tab in the popup's bottom navigation, and the toolbar icon shows a small badge with the number of unread alerts.
Each alert is a login pending review. For each one you can:
- Save - store it in your vault (encrypted in the extension first).
- Dismiss (the x) - drop just that alert.
At the top of the tab:
- Mark all read - clears the unread badge while keeping the alerts in the list.
- Clear all - removes every alert.
Tapping an unread alert marks it read. Once everything is read or cleared, the toolbar badge disappears.
The alert queue is held in memory-only session storage - never written to disk, and cleared when you close the browser. It survives the browser recycling the extension's background worker, so the badge count and the list always agree and your clear / mark-read actions stick.
Auto-lock
The extension locks itself after a period of inactivity, clearing the decrypted keys from memory so the popup asks for your master password again. The period is configurable in the Settings tab (see below). The unlocked state is kept in memory-only session storage, so the extension does not lock at random when the browser recycles its background worker - it locks only when your chosen period actually elapses.
Autofill & saving settings
Open the extension popup and go to the Settings tab to configure behavior:
| Setting | Default | Description |
|---|---|---|
| Show field icon | On | Show the inline vaultctl icon inside matching login fields. |
| Autofill on page load | Off | Fill the first matching login automatically, without a click. |
| Offer to save / update | On | Show the save/update toast after a login submit. |
| Suggest strong passwords | On | Offer a generated password on new-password fields. |
| Prompt timeout | 8s | How long the save/update toast stays before it fades out. |
| Auto-lock | 15 min | Lock the extension after this much inactivity (1 / 5 / 15 / 30 / 60 minutes, or Never). |
The Settings tab also shows an About card with the running version, the maintainer, and links to the documentation and support.
Clipboard Auto-Clear
When you copy a password, username, or other sensitive field from the extension popup, your clipboard is automatically cleared after 30 seconds.
Keyboard Shortcut
Open the extension popup quickly with a keyboard shortcut:
| Platform | Default Shortcut |
|---|---|
| macOS | Cmd + Shift + L |
| Windows / Linux | Ctrl + Shift + L |
You can customize this shortcut in your browser's extension settings:
- Chrome:
chrome://extensions/shortcuts - Firefox:
about:addons> gear icon > Manage Extension Shortcuts
Building from Source
If you prefer to build and load the extension yourself:
Clone the repository
git clone https://github.com/vineethkrishnan/vaultctl.git
cd vaultctl/extensionInstall dependencies
npm installBuild
npm run buildLoad in your browser
Chrome / Chromium: Go to chrome://extensions, enable Developer mode, click Load unpacked, and select the extension/.output/chrome-mv3 folder.
Firefox: Run npm run build:firefox, then go to about:debugging#/runtime/this-firefox, click Load Temporary Add-on, and select any file in the extension/.output/firefox-mv3 folder.
The extension communicates with your vaultctl server over HTTPS. All encryption and decryption happens locally in the extension -- the server only receives and stores encrypted blobs.